There are immediate and long-term benefits to investing quality time and effort into your engagement brief. Whether you’re just starting your cybersecurity journey or a veteran of the game, equipping your brief with the tools for success will immensely benefit your engagement performance. In this blog post, I walk you through how to write an accurate and well-articulated brief to incentivize hackers to hunt on your engagement. Specifically, I’ll go over several key considerations:
Before we dive deeper, allow me to introduce myself! My name is Rami 👋. I’m a Security Solutions Architect at Bugcrowd. My goal is to help you optimize your Managed Bug Bounty (MBB) and get the most value out of your engagements. My work is generally carried out behind the scenes, but nevertheless, I’m often the person your TCSM will go to for advice! Topics I discuss with TCSMs include reward amounts, incentive programs, escalations, and anything giving our customers any trouble. I’ve helped countless customers stand out to hackers and increase their engagement levels and I’m going to do the same for you.
There are a few key things I’d like to remind you about:
A compelling brief is so useful in helping CrowdMatch do it’s thing, but there are also endless other benefits you may not have thought of. It’s truly worth taking a little extra time to improve your brief’s structure, clarity, and content, ensuring it offers helpful guidance. With a well-written brief, you can expect to attract the right hackers with the right experience and skill set, which paves the way for efficiency and consistent, high-quality activity. And of course, a clear brief minimizes confusion and maximizes focused efforts right out the gate. Remember: clarity and transparency foster a wonderful sense of trust between your organization and the hackers.
To attract people to your organization’s engagement, we have to incentivize them! Hackers have a lot of choice when it comes to projects they can work on, with varying scopes, rewards, incentives, and more. The options are endless, and a well-written brief both brings in new hackers and keeps loyal ones coming back. Here are a few easy ways to incentivize hackers:
Let’s quickly talk about “gamification.” It simply means incorporating game-like elements into non-game contexts to enhance engagement and participation. You’re most likely familiar with these techniques—think of leaderboards, achievements, and rankings.
Now let’s talk briefly about psychology, specifically the two types of motivation and how they can help you with crafting an excellent program brief. There are two types of motivation:
Yu-Kai Chow developed the octalysis framework outlining eight core drivers that affect motivation. Here’s how you can leverage the framework to write a compelling brief based on the following core tenets.
Before discussing your own engagement, let’s start with the engagements page. This is where hackers can browse and filter engagements according to their preferences. When a hacker browses the engagements, they see something like this 👇:
There are a few key things to look at here:
The title and taglines are impactful, but they’re often misused. You want them to click into your engagement, not anyone else’s!
The most important piece of advice I have to give here is: use a recognizable name. Sometimes, organizations choose to list parent company names, but most people probably aren’t familiar with the parent company name. For example, Commonwealth is the parent company of Bankwest. While Commonwealth is a recognizable name, it does not explain all the entities involved in the engagement.
This is your elevator pitch. Tell hackers who you are and make them want to choose your engagement.
Don’t say ❌: “Come hack us”—it’s obvious and lacks information.
Do say ✅: A descriptive hook statement about your organization. It should be unique to you and provide enough information to entice someone to want to learn more.
Your engagement page will look something like our public demo program Hack Me!:
This is where the hacker retrieves all the details about your engagement, such as who you are, your engagement’s scope, and any rewards and incentives. This is also their first step toward hacking on your engagement! Your TCSM will help you mold and refine the brief page, but here are some immediate steps you can take on your own.
At the top of the brief is space for a small blurb, or as I like to call it, the unofficial intro section. We want to achieve three things here:
This section is incredibly important and often misused. This is the screen version of high-value real estate—treat it like a billboard in Times Square. If you don’t have anything extra to say, leave it blank, allowing the hacker to see the scope and rewards quicker (that’s why they’re included here!).
This is a standard section. It typically states that your organization follows the VRT. If you intend to include one or two small changes (e.g., “Vulnerability will be considered P3 unless further impact is shown”), that’s fine. If you have a ton of changes that divert from the VRT, I recommend leaving that for a later section.
If you don’t use the VRT here, state which classification method you use, such as CVSS. That being said, the VRT has been refined over several years and is overseen by an active VRT council that monitors changes in the industry. I highly recommend using VRT.
I wrote the changes for VRT 1.12 to include AI application security. Check it out.
This is where we get into the good stuff! A compelling scope is essential to your MBB.
This section is dependent on who you are and what you have in scope. Always lead with what’s in scope first, followed by what’s out of scope or any restrictions. Placing too much out of scope or narrowing your scope too much can disincentivize hackers.
I suggest following a pretty simple formula: Create a single in-scope target group and ensure it is in order before creating categorized target groups. When creating a single in-scope target group, make sure to give your TCSM as much information as possible. This allows them to assign appropriate target tags and helps CrowdMatch do its thing. Along these lines, when creating categorized target groups, group the targets in a way that is custom to your unique products and systems.
Quick word of advice: Saying “anything we own” as in scope is risky. Hacking is still illegal unless consent is given. We want to carefully guide hackers toward the right places. It’s fine to add this as a target, but “anything we own” should not be the only target. I’ll talk more about this later.
Lastly, If you’re going to include mobile targets, check out my Twitter thread here for advice.
If you’re a parent company, split your engagement up according to your child companies and group relevant information in the target group description.
There’s the “target group,” and there’s the “section.” The target group is explicitly related to the target. The “section” is used for enhancing clarity. Customers often confuse these and spread information out between the two areas, leaving hackers confused.
There are two primary functions of the target group:
If you have a brand name that may exist in other regions/industries, be sure to call that out to avoid confusion. For example, consider store.com.au and store.com—mark the latter as out of scope to assist hackers.
It’s important to be clear with your targets. This is because hackers will often start by adding scopes into commonly used hacking tools, like Burp Suite. The target group is also a great spot to mention third-party dependencies you may not be responsible for.
Often, customers ask me for a “black box” or “like a real adversary” setup. Customers are interested in this route because it provides the most realistic scenario imitating a malicious threat. The downsides to this are you’re paying bounties based on valid exploits, not time like a pen test. This usually results in an expensive red team exercise. Also, you’re not paying for someone to bypass a web application firewall (WAF). You’re in big trouble if someone finds a WAF bypass and your stuff is insecure.
Don’t forget: DOCUMENTATION. Help the hackers—don’t prevent them from doing their work. This is one of the easiest ways to get someone up to speed. You can achieve this through the following:
Remember: The more you can provide, the better!
Granting hackers access to your engagement early on is the best way to let them know how to access and authenticate accordingly. Every target is different, and every hacker has different specialties. There are some important things to consider when opening up your engagement for hackers. Addressing these considerations will make it easier for them to get started and quickly provide you valuable information on your engagement.
When granting access, ask yourself these questions:
If you have multiple sets of credentials, it’s helpful to inform hackers of this and the functional differences between them. This is especially helpful in relation to learning platforms where there are often two accounts, such as a student and a teacher.
It’s helpful here to inform the hacker if they need to do any of the following:
Providing self-sign access will grant you the best results because you’ve given the hacker the most access and ability to manipulate the data.
In contrast, unauthenticated programs can be limiting, especially if little to no functionality exists in the scope set out.
This is your chance to guide the hackers to areas most important to you. Common uses of this are as follows:
Some customers list the OWASP top 10. There’s nothing wrong with this, but it’s the top 10 list for a reason. Hackers will almost always look for this. Use your engagement as an opportunity to get on your soapbox and identify the best value. Hackers reap the benefits of easy-to-follow directions and opportunities to earn rewards, and you get the bugs.
Quick tip: instead of listing several conditions, generalize statements to limit actions that may negatively affect Confidentiality, Integrity, and Availability (CIA) for stakeholders. Hackers choose to hack with Bugcrowd to do the right thing and follow ethical protocols. There is no need to make this list overly long.
To simplify the idea of safe harbor, it’s essentially agreeing that you won’t pursue criminal charges.
If you fail to list partial or safe harbor stipulations with your engagement, hackers might be deterred from your engagement, as they might fear you’ll send them to jail. Hackers hack on crowdsourced security platforms to do the right thing, not the wrong thing.
Thanks for taking the time to read my blog post about writing a compelling brief. I hope you found this helpful!
If you’d like to hear more from me, check out my last blog post where I help demystify and clarify the best type of crowdsourced offering for your organization.
If there are more topics you’d like to hear a TSCM cover, I’d love to hear from you! You can find me on Twitter and LinkedIn.